The StringEqual builtin can now deal with ExternalOneByteStrings
without going to the runtime. It still needs to go to the runtime
if the external string is short, i.e. if the resource data pointer
is not cached.

R=yangguo@chromium.org
BUG=v8:4913

Review-Url: https://codereview.chromium.org/2690853004
Cr-Commit-Position: refs/heads/master@{#43152}

The constructor for TypedArray in js/typedarray.js emitted
kInvalidTypedArrayAlignment if the array offset exceeded the size of the
underlying buffer. This seems like a typo introduced in
https://codereview.chromium.org/2090353003.

The error message to be emitted instead coincides with the already existing
kInvalidDataViewOffset. The message string is independent of whether the
object in question is a DataView or a typed array, so this CL:
  (1) renames kInvalidDataViewOffset to just kInvalidOffset, and
  (2) uses kInvalidOffset instead of kInvalidTypedArrayAlignment for cases
      when the TypedArray is constructed with an offset exceeding the buffer
      size.

BUG=v8:5733
TEST=Run d8, execute "new Uint8Array(new ArrayBuffer(1),2)", see the error message mention the invalid offset 2.

Review-Url: https://codereview.chromium.org/2692753002
Cr-Commit-Position: refs/heads/master@{#43151}

This CL fixes some nits in TypeError messages, unifying the form of
kDefineDisallowed and kObjectNotExtensible to match what is used by the
majority of the other messages:
  * "Cannot" vs. "Can't" -> choose "Cannot"
  * "property:%" -> "property %"
  * omit the full-stop at the end of the message

BUG=v8:5673

Review-Url: https://codereview.chromium.org/2686233008
Cr-Commit-Position: refs/heads/master@{#43150}

This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.

We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638

Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}

Previously, accumulators and registers each had a single element cache,
distinct from the local register cache. This meant that

 a) Dead accumulator state nodes were not re-used if the accumulator
    became live.
 b) Functions with only one parameter (the this object) or only one
    local register could not reuse the single-valued state value node
    of the accumulator.

This patch introduces heavier re-use of state-value nodes, decreasing
memory use when building the graph and decreasing the number of nodes
created overall.

Change-Id: Ie3cc6913483aab0819d99be382eb2cb42de8c3d2
Reviewed-on: https://chromium-review.googlesource.com/440926Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43148}

After this, only 2 illegal includes to objects-inl.h remain (some wasm stuff).

R=​mstarzinger@chromium.org
BUG=v8:5294

Change-Id: I18682f42f0d2a7cc29a0a0be76f8e4eea26aafd9
Reviewed-on: https://chromium-review.googlesource.com/441744Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43147}

If exactly one byte in the upper half of the pushed 8-byte value is
set, use a smaller code sequence to push this value on the stack.
Before, we did
  movq r10,<constant>
  push r10
Now, we do
  push 0x0
  movb [rsp+<offset>],<byte>

The old sequence had 12 bytes, the new one has 7.
Pushing such values is used a lot for stack frame markers, which are
small numbers (1-17) encoded as SMIs.

Review-Url: https://codereview.chromium.org/2685213004
Cr-Commit-Position: refs/heads/master@{#43146}

BUG=chromium:673246
NOTRY=true
TBR=marja@chromium.org

Change-Id: If1fe4e886f03b3d6df57fb55df4db7efe7c625fa
Reviewed-on: https://chromium-review.googlesource.com/441764Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43145}

R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2690723002
Cr-Commit-Position: refs/heads/master@{#43144}

This way it's possible to disable Assert() even in Debug
builds via --nodebug-code.

R=danno@chromium.org
BUG=v8:5268

Review-Url: https://codereview.chromium.org/2690983002
Cr-Commit-Position: refs/heads/master@{#43143}

(The bug below is fixed.)

BUG=v8:5938

Change-Id: Ifa0213b1475b1f065238ffad77a03cdfdc49bd28
Reviewed-on: https://chromium-review.googlesource.com/441724Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43142}

Windows won't create empty .lib files, and will subsequently fail to
find the library other rules expect

R=machenbach@chromium.org
BUG=

Change-Id: I8b848834a6957c2164f0eafc853587d39ccb6ca9
Reviewed-on: https://chromium-review.googlesource.com/440244Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43141}

NOTRY=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2692443002
Cr-Original-Commit-Position: refs/heads/master@{#43138}
Committed: https://chromium.googlesource.com/v8/v8/+/a3de4726c3c1ced8c85a221edb66a55a2ed2a04c
Review-Url: https://codereview.chromium.org/2692443002
Cr-Commit-Position: refs/heads/master@{#43140}

Revert of [fuzzer] Format README.md (patchset #2 id:20001 of https://codereview.chromium.org/2692443002/ )

Reason for revert:
Found another mistake

Original issue's description:
> [fuzzer] Format README.md
>
> NOTRY=true
> R=hablich@chromium.org
>
> Review-Url: https://codereview.chromium.org/2692443002
> Cr-Commit-Position: refs/heads/master@{#43138}
> Committed: https://chromium.googlesource.com/v8/v8/+/a3de4726c3c1ced8c85a221edb66a55a2ed2a04c

TBR=hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2693863002
Cr-Commit-Position: refs/heads/master@{#43139}

NOTRY=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2692443002
Cr-Commit-Position: refs/heads/master@{#43138}

We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.

R=yangguo@chromium.org
TBR=ulan@chromium.org
BUG=v8:5958

Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}

BUG=none
R=pfeldman@chromium.org,yangguo@chromium.org,jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2688243004
Cr-Commit-Position: refs/heads/master@{#43136}

Use private symbols to mark default promise handler, instead of calling out to default
handlers defined in JS. We check for this symbol in PromiseHandle and perform the
appropriate behavior as the default handlers.

Catch prediction logic is updated to account for a symbol.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2695593002
Cr-Commit-Position: refs/heads/master@{#43135}

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/a6b2121..67cf0dc

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Ife98ccbac145d280c8db845586dc73f14c20ad9f
Reviewed-on: https://chromium-review.googlesource.com/441605Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43134}

BUG=

Review-Url: https://codereview.chromium.org/2688483004
Cr-Commit-Position: refs/heads/master@{#43133}

Revert of [typedarrays] move %TypedArray%.prototype.copyWithin to C++ (patchset #6 id:100001 of https://codereview.chromium.org/2671233002/ )

Reason for revert:
Due to security issue described in review thread.

Original issue's description:
> [typedarrays] move %TypedArray%.prototype.copyWithin to C++
>
> - Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
> - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
> relies on std::memmove rather than accessing individual eleements.
> - Fixes the case where copyWithin is invoked on a TypedArray with a
> detached buffer.
> - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
> algorithm
>
> The C++ version gets through the benchmark more than 25000 times as
> quickly as the JS implementation.
>
> BUG=v8:5925, v8:5929, v8:4648
> R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
>
> Review-Url: https://codereview.chromium.org/2671233002
> Cr-Commit-Position: refs/heads/master@{#42975}
> Committed: https://chromium.googlesource.com/v8/v8/+/0f1c626d556cbf84b0e572635eb803729f88cbb3

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5925, v8:5929, v8:4648

Review-Url: https://codereview.chromium.org/2693753002
Cr-Commit-Position: refs/heads/master@{#43132}

These intrinsics are no longer required, but their runtime call pendants
are still in use. So remove support for those from all compilers.

BUG=v8:5049
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2694623002
Cr-Commit-Position: refs/heads/master@{#43131}

A couple of the builtins in src/js/typedarray.js still depends on these
intrinsics, so if we don't want to regress all of them, we'll have to
support these trivial intrinsics until the JS builtins are migrated.

R=yangguo@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2695553002
Cr-Commit-Position: refs/heads/master@{#43130}

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2663433003
Cr-Commit-Position: refs/heads/master@{#43129}

It reduces the add operation for certain checked load/stores by pre-do
the add in compiling phase.

BUG=

Review-Url: https://codereview.chromium.org/2593483002
Cr-Commit-Position: refs/heads/master@{#43128}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/0d29448..3e5cfce

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Id55df9c6550a29e463e64b6db43fbc25e661424d
Reviewed-on: https://chromium-review.googlesource.com/441604Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43127}

Do not allow that holey properties are defined in Array sort.
Throw a type error if the array is not extensible and there are holey
properties in the middle of the array.

BUG=v8:4888

Review-Url: https://codereview.chromium.org/2664173002
Cr-Commit-Position: refs/heads/master@{#43126}

R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2686413002
Cr-Commit-Position: refs/heads/master@{#43125}

This patch removes the implication from --harmony to --harmony-tailcalls.

R=ishell@chromium.org
BUG=v8:4698

Review-Url: https://codereview.chromium.org/2691483004
Cr-Commit-Position: refs/heads/master@{#43124}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/9d467bb..0d29448

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/df42e55..a6b2121

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: If3df9091dd68f09541748bf31ff4eff512cb8534
Reviewed-on: https://chromium-review.googlesource.com/441405Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43123}

BUG=none
R=pfeldman@chromium.org

Review-Url: https://codereview.chromium.org/2690663003
Cr-Commit-Position: refs/heads/master@{#43122}

If a job was already enqueued, EnqueueAndStep would still step the job one
more step. However, since it didn't take the job out of the
pending_background_jobs pool, the job could get picked up by a background
thread which would try to step it, but it the job is now at a step which
can't be run on the background.

BUG=v8:5203,chromium:685515

Change-Id: I2cee2a33625ba455aca49a8037601be9ff8bb73f
Reviewed-on: https://chromium-review.googlesource.com/441084
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43121}

The heuristic checks for "(function", and now it also checks for
"(async function".

BUG=v8:4230

Review-Url: https://codereview.chromium.org/2682173005
Cr-Commit-Position: refs/heads/master@{#43120}

We have different modes of tracing: recording, event callback and
filtering. The cpu profiler should not be enabled when tracing is
enabled with filtering mode.

BUG=688651

Review-Url: https://codereview.chromium.org/2676403002
Cr-Commit-Position: refs/heads/master@{#43119}

This roll includes the SharedArrayBuffer tests (skipping for now)
but doesn't include the $ renaming.

This is a reland; previously, I reverted because I was confused about why
the rename of $ to $262 didn't break tests; it now seems that the
previous patch left it as an alias. This patch does not do the renaming
yet, as the renaming usage has not landed upstream yet.

R=adamk

Review-Url: https://codereview.chromium.org/2685603003
Cr-Commit-Position: refs/heads/master@{#43118}

Since preparser creates different scopes than the parser, the invariant "at most one rest parameter" doesn't hold when the rest param is a destructuring param.

No new tests added; the problem is visible w/ existing tests with FLAG_lazy_inner_functions on.

R=​vogelheim@chromium.org
BUG=chromium:690919

Change-Id: I525b8dfee92acd0733702c5a940a1a83a94712df
Reviewed-on: https://chromium-review.googlesource.com/440925Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43117}

Don't block on inner function compilation before competing outer function
compilation. Instead wait for the compilation to complete when the function
is called.

BUG=v8:5203

Review-Url: https://codereview.chromium.org/2686673002
Cr-Commit-Position: refs/heads/master@{#43116}

Removes handles from bytecode generation, instead storing
un-internalized AstValues (and other, similar values such as Scopes and
AstRawStrings) in the constant array builder.

This will allow us in the future to generate the bytecode before
internalizing the AST.

BUG=v8:5832

Change-Id: I3b8be8f7329a484eb1e5d12808b001d3475239da
Reviewed-on: https://chromium-review.googlesource.com/439326
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43115}

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5821

Review-Url: https://codereview.chromium.org/2685483002
Cr-Original-Commit-Position: refs/heads/master@{#43049}
Committed: https://chromium.googlesource.com/v8/v8/+/1a989bdeefdc679745215ae547007773edb3d29e
Review-Url: https://codereview.chromium.org/2685483002
Cr-Commit-Position: refs/heads/master@{#43114}

The --ignition-filter hasn't worked properly for a while due to some functions
only being supported by Ignition. Remove it and add a --print-bytecode-filter
to allow the main use-case of limiting bytecode printing to a particular
function.

BUG=chromium:685476,v8:5203

Change-Id: Id41eeb3083ae9f713433d3a30227cd4c5d0d47dd
Reviewed-on: https://chromium-review.googlesource.com/441047Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43113}